Hello, I wrote an authorize policy used to update some VPN attributes against specific ldap groups. I see a different behavior when I use a "switch case" logic versus using "if" condition. When using "switch case", the ldap module is not called. So, the ldap group is not populated and the test doesn't work. But if I do the same test using an "if" condition then it works. Configuration using "switch case" - not working in authorize section : switch &Ldap-group { case "group1" { update { reply:Reply-message := "You are from group1." } return } case "group2" { update { reply:Reply-message := "You are from group1." } return } case { update { reply:Reply-message := "You are unknown." } return } } Configuration using "if / elsif / else" - working in authorize section : if (&Ldap-group == "group1") { update { reply:Reply-message := "You are from group1." } return } elsif (&Ldap-group == "group2") { update { reply:Reply-message := "You are from group1." } return } else { update { reply:Reply-message := "You are unknown." } return } I had a look on some documentations (man unlang, rlm_ldap) but I do not understand if it is a normal behavior of the condition "switch case" or not. Thank you for your help -- Jérôme BERTHIER DSI - Service Conception d'Infrastructure Inria Bordeaux - Sud-Ouest + 33 5 24 57 40 50